The past couple of weeks have been interesting times for anyone following the malicious Blackhole exploit kit that continues to dominate the charts.

Don't get me wrong, we expect changes and updates - the individuals behind the kit work tirelessly to try and evade security products. However, some of the recent changes are a little confusing to say the least!

One of the key aspects of the Blackhole exploit kit that we identified in previous research was the organised and coordinated nature of the kit. For example, as soon as a new obfuscation method was added, we would quickly see it in use, across the majority of exploit sites being tracked.

The release, in September 2012, of Blackhole exploit kit version 2 introduced several changes, but the coordinated 'rollout' of minor tweaks and modifications continued.

And so to recent developments that we have been observing. Firstly, let's start off with a quick recap of what we are seeing:

when Blackhole v2 was first released, a number of the older exploits were removed from the kit (perhaps most notably, Flash was completely removed). Recently we are seeing Flash exploits back again. Some of the latest kits seem to be targeting the same vulnerabilities that v1.x Blackhole did. They also use the exact same filenames as well - field.swf (CVE-2011-0611) and flash.swf (CVE-2011-2110).

Java vulnerabilities are still a favourite, with exploits including CVE-2012-5076 (Sept 2012) and CVE-2012-1723.

the classic "old" (version 9.4) Adobe PDF vulnerabilities are back

a font vulnerability (CVE-2011-3402) is sometimes being loaded as well. This has been associated with a recent exploit kit known as 'Cool Exploit Kit'

So what is going on? Why this sudden burst of diversity from Blackhole?

Or is this a new kit? Are some of these recent Blackhole changes actually not Blackhole at all, but some other kit?

As I have been putting together this post, I see that our colleagues at F-Secure are asking a similar question.

Several factors point to this being Blackhole (or at least very closely related - same codebase, potentially same authors).

obvious similarities in the function names, filenames, structure etc of the exploit site